It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


SCI/TECH: New DNS Attack Installs Spyware, Steals Information

page: 1

log in


posted on Mar, 9 2005 @ 10:41 AM
Recently, a new method of hijacking an internet user's URL request for a legitimate website and re-directing it to a maliciously designed site that installs spyware has surfaced. Using a previously discovered flaw in some corporate internet security appliances, someone was able to take requests for sites, including Google and eBay, and point them toward servers that take advantage of holes in web browser security to install spyware which can steal valuable personal data.

Phishers pushing spyware through DNS holes
The warning follows reports Friday that some people's computers were being redirected from sites such as eBay and Google to malicious Web servers that attempted to install spyware. The compromises affected 30 to 40 networks, according to Jason Lam, incident handler for the Internet Storm Centre, which tracks network threats.
"It's hard to tell how many people were impacted by this, but it wasn't very widespread," Lam said Tuesday.
The attacks compromised DNS servers to replace the numeric addresses of popular Web sites with the addresses of malicious sites run by the attackers. Known as DNS poisoning, the scheme redirects Internet users to bogus sites where they may be asked for sensitive information or have spyware installed on their PCs.

Please visit the link provided for the complete story.

This particular attack appears to have been directed at a number of corporate security appliances distributed by Symantec. The vulnerability that was exploited in some cases had been identified in June 2004 and hotfixes were issued, but it has not been established if the compromised DNS caches were on un-patched machines or if the patch that was issued failed to fully correct the problem.

More disturbing are the reports of DNS cache poisoning from organizations that do not use Symantec products. With this news, it appears that there may be a broader attack in the works.

The Internet Storm Center has noted that those who were victims of these URL re-directs ran the risk of having the ABX Toolbar installed using an ActiveX control flaw that was fixed in Service Pack 2 for Microsoft Windows XP. Not much is known about the nature of this spyware, but as information comes out it will be shared here.

If you think you have been affected by the ABX Toolbar exploit, the following removal instructions were provided by ISC.

Run Regedit and search for "abx" (do not include quotes). Remove all references containing "abx" from the registry. There are at least two Keys in the registry that contain several Values related to this spyware. On my test workstation, one of them was: HKCU\software\xbtb01186\toolbar.
I am not sure, but the "xbtb01186" may be a randomly generated Key, but within that Key will be several Values with "abx" references. Remove the entire Key starting at "xbtb01186".
You will need to delete two files in the "Download Program Files" directory under your Windows directory. In Windows XP they will be under c:\windows\Download Program Files. In NT they will be under c:\winnt\Download Program Files. The file names are:
The "Download Program Files" directory stores the ActiveX Cache used when starting up Internet Explorer. This directory may be hidden, so make sure your Explorer settings allow you to view hidden files.

The above was taken from 2005-03-07 ISC Diary

DNS Hijacking attacks, while still not common, pose a growing threat to internet users. The practice of Phishing to steal user data currently relies on tricking someone into visiting a site with a spoofed address using a link in email, instant message, etc. This new technique is particularly devious because it can use the actual address of a site to take unsuspecting consumers to a fake page, thus creating a sense of security that may make them more likely to reveal usernames, passwords, and account information. This method could be virtually undetectable to most internet users.

This could be the new face of computer crime since the target of the actual attack in not individual computers, but larger corporate services that affect thousands of consumers.

Please see the ATSNN Exclusive report on the subject of DNS Hijacking listed below for more details on the potential of this threat.

Related ATS Discussions
EXCLUSIVE: Med Network DNS Hijack, A Web Exploit That May Spell Cyber-Disaster

Related News Links
Global DNS cache poisoning attack?; Update
Possible Domain Poisoning Underway
Symantec Gateway Security Products DNS Cache Poisoning Vulnerability
Symantec Hotfix Information

[edit on 9-3-2005 by Spectre]


log in